Cointime

Download App
iOS & Android

ZeroTrust Accounts

A proof of concept by Karandeep Singh and Alexander Chopan

What if you could use a passkey as a signer for your embedded smart contract account and reuse the account across other apps? What does that mean and who cares? Try the demo first, then come back here.

React AppWeb site created using create-react-appt.co

The goal of ZeroTrust Accounts is to provide a decentralized, secure, and self-sovereign approach to Ethereum smart contract accounts. How? With non-custodial signers (like passkeys); inbuilt or modular session keys features; server-free information access; and decentralized recovery options. karandeepsingh.eth and I got to these conclusions by working backwards from user goals to engineering solutions and product experience. Here’s the idea 0-1. This is a long post.

  1. Users
  2. Goals
  3. How accounts work today
  4. Account problems
  5. Solutions
  6. Requirements
  7. Features
  8. Proof of concept
  9. User Journey
  10. Code
  11. Demo

1. Users

Alice is a consumer. She uses many applications. She has over 100 accounts. Bob is a developer. He makes blockchain apps for consumers like Alice.

2. Goals

Alice (consumer): wants to enjoy online and onchain activities with friends, collect digital assets, use decentralized apps easily, control her account in various places, and avoid losing account access or data.

Bob (developer): wants to make user-friendly apps for NFT minting, that don’t require users to interrupt activity to approve actions, and can sponsor gas fees for user operations. He wants to use account abstraction and offer smart accounts for a better user experience.

3. How Accounts Work Today

Offchain In the current web model, there are account users and providers. Users require accounts for online activities. They provide personal data to create accounts. These accounts serve as containers for data and have rules. Users access accounts with keys and passwords. They trust providers to keep data safe.

Onchain: externally-owned accounts The Ethereum blockchain operates on an account model with one native type, the externally owned account (EOA). EOAs are controlled by private keys and operated by the account holder who possesses the private key. They are used for sending/receiving transactions and interacting with applications. EOAs are created when a private key is generated and associated with a public address. They do not require on-chain deployment or initial funding. ETH balance — is required for transactions and gas fees. Security relies on the user's management of private keys, and account recovery is not possible if the keys are lost.

Onchain: smart accounts Smart accounts In Ethereum are smart contract code. The code must be deployed to the blockchain before the user can make their first transaction. This requires some initial funds. Smart accounts have programmable features such as transaction batching, multi-signature management, two-factor authentication (2FA) and account recovery. They allow users to pay for gas fees in any token and even have their transactions sponsored. These smart features make them like mini-apps on the blockchain.

Onchain: embedded accounts Onchain embedded accounts are smart contract accounts embedded in specific dapps, allowing users to perform wallet actions directly within the dapp. These accounts are provided instantly by the dapp, removing the need for users to separately create and set up a blockchain account. Access to these accounts is limited to the dapps they are tied to, streamlining the user experience, especially for newcomers to blockchain technology. To create embedded accounts, Bob tests various SDKs from account providers to select the best one. Bob must get API keys from account providers to use their services. In order to get API keys, Bob must create new accounts for himself. Here let’s explore 2 kinds of embedded accounts Bob wants to create — an EOA and passkey based.

4. Account Problems

Not Secure Dapps connect directly to accounts and users authorize blanket access. Ethereum blockchain requires an EOA to make transaction, and to reuse same signer each time. The smart contract account security depends on EOA security. Alice’s and Bob’s security are dependent on the account types and account provider services they choose.

Low Control Users have limited control over their blockchain accounts as their behavior is hardcoded in the Ethereum protocol. For passkey-embedded accounts, apps store and manage passkey meta details in the account provider's databases, creating a dependency. Alice faces the risk of being locked out of the passkey signer if the dapp domain becomes inaccessible, which affects her ability to use her account and Bob's ability to provide her with an account.

Not Smart Users and developers waste time on account management instead of account activity. Users sign each transaction. New technologies like passkeys and embedded wallets complicate multi-account management. Account types have different functionalities and may not be compatible. Different providers interpret account abstraction differently, making it challenging for Alice and Bob to manage and migrate accounts.

5. Solutions

Create accounts that are safer and smarter by continuously removing layers of trust. Provide a decentralized, secure, and self-sovereign approach to Ethereum smart contract accounts. Use non-custodial signers (like passkeys); inbuilt or modular session keys features; server-free information access; and decentralized recovery options.

6. Engineering Requirements

More secure Ensure a secure method for managing signers, including the use of alternative signers that offer higher security than EOAs. Implement layers of separation between different accounts to enhance security. Create unique sessions each time a dapp connects to an account, with session-specific permissions like time limits, token allowances, and spending limits. Determine these permissions by combining various scopes, which are specific target contracts or methods.

More control Users should have easy access to their accounts and use them as desired, without relying on third-party providers.

Smarter They should also be able to easily create smart contract accounts without complex wallet setup. They shouldn’t have to already have an EOA. Users should be able to use dApps quickly and effortlessly, with uninterrupted and signless transactions. Actions should be automated (e.g., pre-approval, scheduling) so that users do not have to create new accounts every time they want to use a dApp.

7. Features

8. Proof of Concept

9. User Journey

Step 1: Create Account User: The user decides to interact with a dapp through its website with the goal of minting an NFT. The user clicks either "Connect Wallet" or "Sign In with Account Provider." This action redirects the user to a sign-in or sign-up page. Existing users sign in to authorize the dapp to use their Zero Trust account. New users create a unique name for their account, and upon entering this name, the ZeroTrust account becomes "created,” and the user can grant the dapp access to it. -

Under the Hood: We associate a passkey with the user's chosen account name, enhancing security. The metadata related to the passkey is securely stored in the user's browser's local storage. Using this metadata, we derive a counterfactual smart contract wallet address.

Step 2: Authorize Dapp User: The user authorizes the dapp to use the account, by choosing the scope to limit what the dapp can do while the session is active. The user signs the user operation, which records session details on the blockchain for security. -

Under the hood: A sessionID is created which defines the scope for activity. The sessionID is committed onchain by signing a transaction using the passkey. This saves the sessionID onchain.

Step 3: Mint NFT User: The user is redirected to the dapp to interact with the dapp, using the authorized ZeroTrust account. The user clicks "mint" and mints the NFT.

Under the hood: Instead of signing each user operation and being interrupted with signature requests, the user submits a zero-knowledge proof for the operation. All operations occur on the user's device.

10. Code

GitHub - KannuSingh/zero-trustContribute to KannuSingh/zero-trust development by creating an account on GitHub.github.com

11. Demo

Created by Karandeep Singh and Alexander Chopan

Powered by Pimlico

Comments

All Comments

Recommended for you

  • A Total of 37,212.18 DMD Permanently Burned Over the Past 7 Days

    July 9, 2026 — According to the latest on-chain data released by DMDAO, a total of 37,212.18 DMD has been permanently burned over the past seven calendar days through the protocol's predefined trading and wealth management burn mechanisms.

  • Whale Transfers 1,133 BTC to Coinbase Prime, Valued at $71.48 Million

    According to Onchain Lens monitoring, a whale transferred 1,133 BTC from Coinbase to Coinbase Prime through an intermediary wallet, valued at $71.48 million.

  • U.S. AI Chip Stocks Decline Before Market Open, Intel Falls Over 3%

    On July 7, U.S. AI chip stocks experienced widespread declines before the market opened. Intel dropped over 3%, while AMD, Qualcomm, and NXP fell more than 2%. TSMC, Broadcom, and Tesla decreased by over 1%, and NVIDIA declined by 0.7%.

  • China's Central Bank Increases Gold Reserves for the 20th Consecutive Month

    As of the end of June, China's gold reserves stood at 75.44 million ounces (approximately 2,346.446 tons), an increase of 480,000 ounces (about 14.93 tons) from the end of May, which reported 74.96 million ounces (approximately 2,331.52 tons). This marks the 20th consecutive month of gold accumulation.

  • China's Foreign Exchange Reserves in June at $341.6262 Billion

    On July 7, China's foreign exchange reserves for June stood at $341.6262 billion, a decrease of $26 billion from the end of May, representing a decline of 0.75%, with expectations set at $343.2 billion.

  • U.S. Storage Stocks Drop Pre-Market, SanDisk and Micron Down Over 4%

    On July 7, U.S. storage concept stocks collectively fell in pre-market trading. Western Digital dropped over 5%, SanDisk and Micron Technology fell over 4%, Seagate Technology declined over 3%, Rambus fell over 2%, and SMI fell over 1%.

  • U.S. Stocks in Optical Communication Sector Drop Pre-Market

    On July 7, stocks in the optical communication sector of the U.S. market collectively fell pre-market. Astera Labs dropped over 4%, while Marvell Technology, Credo Technology, and AXT Inc. fell more than 3%. Tower Semiconductor, MaxLinear, Corning, Applied Optoelectronics, GlobalFoundries, Lumentum, and Qorvo all declined by more than 2%. Coherent, Nokia, Amphenol, and Broadcom dropped over 1%.

  • Pre-market Decline in U.S. Storage Stocks

    In pre-market trading, U.S. storage concept stocks experienced a widespread decline, with Micron Technology falling by 4.8%, SanDisk dropping over 4%, Corning down more than 2%, and Intel decreasing by over 3%.

  • Two Departments: Support for Reinsurance Institutions to Increase Capital and Issue Supplementary Capital Tools

    On July 7, the National Financial Supervision and Administration Bureau and the Shanghai Municipal Government released several measures to accelerate the construction of the Shanghai International Reinsurance Center. Among these measures, they proposed to enhance the quality and efficiency of the reinsurance industry, support reinsurance institutions in increasing capital and expanding shares, and issuing supplementary capital tools to improve the capacity for internal capital accumulation and external capital supplementation, thereby strengthening the reinsurance industry's capabilities. The initiative aims to guide the insurance industry to focus on major national projects, strategic emerging industries, and livelihood security, consolidating insurance and reinsurance underwriting capabilities to enhance risk protection levels. It also supports reinsurance institutions in leveraging their professional technical advantages to assist the insurance industry in reducing risk.

  • Sources: Saudi Arabia Plans to Expand Oil Pipeline to Red Sea, Increasing Capacity by 2 Million Barrels Daily to Bypass Strait of Hormuz

    On July 7, five informed sources revealed that Saudi Arabia is considering expanding the crude oil pipeline capacity to its western coast on the Red Sea, allowing Saudi Arabia and its neighbors to transport more oil without passing through the Strait of Hormuz. This east-west pipeline, built in the early 1980s, has gained strategic importance since the outbreak of the Iran war in February and the disruption of shipping in the Strait of Hormuz. The pipeline can deliver up to 7 million barrels of crude oil per day to the Red Sea port. The CEO of Saudi Aramco stated in May that approximately 2 million barrels are supplied to west coast refineries, while about 5 million barrels are for export. Sources indicate that Saudi Arabia is in preliminary discussions with some neighboring countries regarding the pipeline expansion, aiming to add about 2 million barrels of pipeline capacity per day. It remains unclear whether Aramco's planned expansion involves upgrading existing infrastructure or constructing new pipelines. One source mentioned that the expansion plan also includes a smaller refined oil pipeline. Two sources indicated that the expansion scale could range from 1 million to 2 million barrels per day, with refined oil also being considered. Another source stated that the project would take several years and cost billions of dollars, requiring adjustments to Saudi crude pricing mechanisms.